Pages

2013/08/02

FBI taps Hacker tactics to Spy on surveillance targets

Law-Enforcement Officials Expand Use of Tools Such as Spyware as People Under
Investigation 'Go Dark,' Evading Wiretaps

By JENNIFER VALENTINO-DEVRIES and DANNY YADRON

Law-enforcement officials in the U.S. are expanding the use of tools routinely
used by computer hackers to gather information on suspects, bringing the
criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court
documents and interviews with people involved in the programs provide new
details about the hacking tools, including spyware delivered to computers
and phones through email or Web links—techniques more commonly associated
with attacks by criminals.

People familiar with the Federal Bureau of Investigation's programs say that
the use of hacking tools under court orders has grown as agents seek to keep
up with suspects who use new communications technology, including some types
of online chat and encryption tools. The use of such communications, which
can't be wiretapped like a phone, is called "going dark" among law enforcement.
A spokeswoman for the FBI declined to comment.
The FBI develops some hacking tools internally and purchases others from
the private sector. With such technology, the bureau can remotely activate
the microphones in phones running Google Inc.'s GOOG +1.82% Android software
to record conversations, one former U.S. official said. It can do the same
to microphones in laptops without the user knowing, the person said. Google
declined to comment.

The bureau typically uses hacking in cases involving organized crime, child
pornography or counterterrorism, a former U.S. official said. It is loath
to use these tools when investigating hackers, out of fear the suspect will
discover and publicize the technique, the person said.
The FBI has been developing hacking tools for more than a decade, but rarely
discloses its techniques publicly in legal cases.
Earlier this year, a federal warrant application in a Texas identity-theft
case sought to use software to extract files and covertly take photos using
a computer's camera, according to court documents. The judge denied the
application, saying, among other things, that he wanted more information
on how data collected from the computer would be minimized to remove information
on innocent people.
Since at least 2005, the FBI has been using "web bugs" that can gather a
computer's Internet address, lists of programs running and other data, according
to documents disclosed in 2011. The FBI used that type of tool in 2007 to
trace a person who was eventually convicted of emailing bomb threats in
Washington state, for example.
The FBI "hires people who have hacking skill, and they purchase tools that
are capable of doing these things," said a former official in the agency's
cyber division. The tools are used when other surveillance methods won't
work: "When you do, it's because you don't have any other choice," the official
said.
Surveillance technologies are coming under increased scrutiny after disclosures
about data collection by the National Security Agency. The NSA gathers bulk
data on millions of Americans, but former U.S. officials say law-enforcement
hacking is targeted at very specific cases and used sparingly.
Still, civil-liberties advocates say there should be clear legal guidelines
to ensure hacking tools aren't misused. "People should understand that local
cops are going to be hacking into surveillance targets," said Christopher
Soghoian, principal technologist at the American Civil Liberties Union. "We
should have a debate about that."
Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking
conference in Las Vegas, said information about the practice is slipping
out as a small industry has emerged to sell hacking tools to law enforcement.
He has found posts and resumes on social networks in which people discuss
their work at private companies helping the FBI with surveillance.
A search warrant would be required to get content such as files from a suspect's
computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who
until December was the Justice Department's primary authority on federal
criminal surveillance law. Continuing surveillance would necessitate an even
stricter standard, the kind used to grant wiretaps.
But if the software gathers only communications-routing "metadata"—like
Internet protocol addresses or the "to" and "from" lines in emails—a
court order under a lower standard might suffice if the program is delivered
remotely, such as through an Internet link, he said. That is because nobody
is physically touching the suspect's property, he added.
An official at the Justice Department said it determines what legal authority
to seek for such surveillance "on a case-by-case basis." But the official
added that the department's approach is exemplified by the 2007 Washington
bomb-threat case, in which the government sought a warrant even though no
agents touched the computer and the spyware gathered only metadata.
In 2001, the FBI faced criticism from civil-liberties advocates for declining
to disclose how it installed a program to record the keystrokes on the computer
of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt
a document. He was eventually convicted.
A group at the FBI called the Remote Operations Unit takes a leading role
in the bureau's hacking efforts, according to former officials.
Officers often install surveillance tools on computers remotely, using a
document or link that loads software when the person clicks or views it.
In some cases, the government has secretly gained physical access to suspects'
machines and installed malicious software using a thumb drive, a former U.S.
official said.
The bureau has controls to ensure only "relevant data" are scooped up, the
person said. A screening team goes through all of the data pulled from the
hack to determine what is relevant, then hands off that material to the case
team and stops working on the case.
The FBI employs a number of hackers who write custom surveillance software,
and also buys software from the private sector, former U.S. officials said.
Italian company HackingTeam SRL opened a sales office in Annapolis, Md.,
more than a year ago to target North and South America. HackingTeam provides
software that can extract information from phones and computers and send
it back to a monitoring system. The company declined to disclose its clients
or say whether any are in the U.S.
U.K.-based Gamma International offers computer exploits, which take advantage
of holes in software to deliver spying tools, according to people familiar
with the company. Gamma has marketed "0 day exploits"—meaning that the
software maker doesn't yet know about the security hole—for software
including Microsoft Corp.'s Internet Explorer, those people said. Gamma,
which has marketed its products in the U.S., didn't respond to requests for
comment, nor did Microsoft.

Write to Jennifer Valentino-DeVries at Jennifer.Valentino-DeVries@wsj.com
and Danny Yadron at danny.yadron@wsj.com

A version of this article appeared August 2, 2013, on page A5 in the U.S.
edition of The Wall Street Journal, with the headline: FBI Taps Hacker Tactics
to Spy on Suspects.